This webpage provides instructions for using the acme-dns DNS challenge method with various ACME clients to obtain HTTPS certificates for private networks. Caddy, Traefik, cert-manager, acme.sh, LEGO and Certify The Web are listed as ACME clients that support acme-dns. For each client, configuration examples are provided that show how to set API credentials and other settings to use the acme-dns service at https://api.getlocalcert.net/api/v1/acme-dns-compat to obtain certificates. Interesting that so many ACME clients support the acme-dns service, providing an easy way to obtain HTTPS certificates for private networks.

HN https://news.ycombinator.com/item?id=36674224

seiferteric: Proposes an idea for automatically creating trusted certificates for new devices on a private network.

hartmel: Mentions SCEP which allows automatic certificate enrollment for network devices.

mananaysiempre: Thinks using EJBCA for this, as hartmel suggested, adds unnecessary complexity.

8organicbits: Describes a solution using getlocalcert which issues certificates for anonymous domain names.

austin-cheney: Has a solution using TypeScript that checks for existing certificates and creates them if needed, installing them in the OS and browser.

bruce511: Says automating the process is possible.

lolinder: Mentions Caddy will automatically create and manage certificates for local domains.

frfl: Uses Lego to get a Let’s Encrypt certificate for a local network website using the DNS challenge.

donselaar: Recommends DANE which works well for private networks without a public CA, but lacks browser support.

7 points

Big fan of letsencrypt’s certbot with the nginx and cloudflare (or other dns providers) plugins.

Is there any reason to use caddy or traefik over nginx?

permalink
report
reply
6 points

Caddy takes almost all of the nginx boilerplate and handles it for you.

If you’re doing something simple in nginx, it’s far simpler with Caddy.

permalink
report
parent
reply
3 points

What if I’m using NGINX Proxy Manager which gives me a GUI for my dumbness?

permalink
report
parent
reply
2 points

Stick with it, sounds like you’ve got a system that works for you

permalink
report
parent
reply
1 point

You win

permalink
report
parent
reply
4 points

I found traefik to be a more feature rich, load balancer when used in kubernetes environments. Other than use in kubernetes, I’d say if you’re happy with nginx, keep using nginx :)

permalink
report
parent
reply
5 points

But why

permalink
report
reply
12 points

Because you might want to use HTTPS on a server that’s not accessible externally. Some browser features only work over HTTPS.

permalink
report
parent
reply
1 point

Sounds like a bad browser.

permalink
report
parent
reply
11 points
*

Good browsers don’t let random unauthenticated content to do whatever it wants on neither the local machine or the network.

HTTPS is also the only way to use client-side certificates for strong two-way authentication and zero-trust setups.

permalink
report
parent
reply
1 point

Every browser implements these limitations, as they’re part of the web platform. Some examples are service workers, web crypto, HTTP/2, webcam, microphone, geolocation, and more. There’s a list here: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts

permalink
report
parent
reply
4 points

Yep, caddy was as easy as to use xcaddy with the module of my DNS, configure the key and run caddy, that’s it xD.

For what lolinder mentioned in the news link you need to have port 80 open.
If you don’t want that you could configure local authority, but that’ll give the warning of a selfsigned certificate.

permalink
report
reply
4 points

Personally I use dnsrobocert with my own domains. I’ve got a few subdomains that point to a Wireguard subnet IP for private network apps (so it resolves to nothing if you’re not on VPN). Having a real valid SSL cert is really nice vs self signing, and it keeps my browser with HTTPS-Everywhere happy.

permalink
report
reply
2 points
Deleted by creator
permalink
report
reply

Technology

!technology@beehaw.org

Create post

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

Community stats

  • 2.8K

    Monthly active users

  • 2.9K

    Posts

  • 53K

    Comments